Synopsis
If you are the designer of a privacy critical system who has a set privacy requirements to meet, and you are given a set of privacy policies and a domain model representing the operational context of the designed system. Then, one way of satisfying such privacy
requirements in your system design is your ability to justify that the disclosure of information by the system as a result of an information request does not result in the violation of associated policies. The focus of Caprice is therefore to help designers
to discover possible runtime privacy threats resulting from information disclosure and potential mitigation actions. These threats are privacy violations that systems user may face in an environment where context changes frequently.

To be explicit, Caprice is meant to inform an implementation of adaptive privacy system, and not the implementation or a theorem prover. Rather, we believe that Caprice is a useful tool for endearing the so call
privacy-by-design paradigm by making explicit the context of privacy violations and possible mitigation actions at design time.

Target audience(User Manual),
(Installation Instructions)
Caprice is targeted at designers of any system where information disclosure is modelled as the transfer of messages between a group or community of interacting agents. Examples of such systems include mobility based systems and devices, social networks and
energy consumption and distribution in a smart grid.

Framework
The framework for Caprice consist of three analysis steps (Figure 1).

Identify the set of monitored context attributes required to satisfy privacy awareness.

Based on monitored attributes, carry out privacy threats analysis to discover operational context that can violate privacy.

By computing the severity of discovered threat, a possible adaptation action is suggested to the designer.

Caprice leverages on contextual integrity as a means to justify the preservation or violation of privacy in a system's behavioural model. Contextual integrity posits that the transfer of information about a subject from a sender to a receiver in
a specific context, are tied to certain transmission principles (such as notice, consent, confidentiality, etc.). In Caprice, we operationalize these transmission principles in a system by using privacy policies. Then based on the behavioural representation
of the system (as a finite state machine) and a domain model, we reason over operational context that threatens privacy and possible adaptation actions to ameliorate the discovered threat.

Figure 1

Caprice suggests four categories of adaptation actions based on the severity of discovered threat. These include to
Ignore, React, Prevent or Terminate usage interactions that can generate discovered threat. Threat severity is computed based on the
obfuscation and sensitivity levels of disclosed information. Least severe threat can be ignored while very severe ones are terminated. If a specific threat reoccurs frequently, then a more severe adaptation action is recommended to the designer.